This new malware that we have discovered and named CDRThief is designed to target a very specific VoIP platform, used by two China-produced softswitches (software switches): Linknat VOS2009 and VOS3000. A softswitch is a core element of a VoIP network that provides call control, billing, and management. These softswitches are software-based solutions that run on standard Linux servers.

The primary goal of the malware is to exfiltrate various private data from a compromised softswitch, including call detail records (CDR). CDRs contain metadata about VoIP calls such as caller and callee IP addresses, starting time of the call, call duration, calling fee, etc.

To steal this metadata, the malware queries internal MySQL databases used by the softswitch. Thus, attackers demonstrate a good understanding of the internal architecture of the targeted platform.

Linux/CDRThief analysis

We noticed this malware in one of our sample sharing feeds, and as entirely new Linux malware is a rarity, it caught our attention. What was even more interesting was that it quickly became apparent that this malware targeted a specific Linux VoIP platform. Its ELF binary was produced by the Go compiler with the debug symbols left unmodified, which is always helpful for the analysis.

To hide malicious functionality from basic static analysis, the authors encrypted all suspicious-looking strings with XXTEA and the key fhu84ygf8643, and then base64 encoded them. Figure 1 shows some of the code the malware uses to decrypt these strings at runtime.

Figure 1. The routine used to decrypt the binary's strings

To access internal data stored in the MySQL database, the malware reads credentials from Linknat VOS2009 and VOS3000 configuration files that it attempts to locate in the following paths:

  • /usr/kunshi/vos2009/server/etc/server_db_config.xml
  • /usr/kunshi/vos3000/server/etc/server_db_config.xml
  • /home/kunshi/vos2009/server/etc/server_db_config.xml
  • /home/kunshi/vos3000/server/etc/server_db_config.xml
  • /home/kunshi/vos2009/etc/server_db_config.xml
  • /home/kunshi/vos3000/etc/server_db_config.xml
  • /usr/kunshi/vos2009/server/etc/serverdbconfig.xml
  • /usr/kunshi/vos3000/server/etc/serverdbconfig.xml

Interestingly, the password from the configuration file is stored encrypted. However, Linux/CDRThief malware is still able to read and decrypt it. Thus, the attackers demonstrate deep knowledge of the targeted platform, since the algorithm and encryption keys used are not documented as far as we can tell. It means that the attackers had to reverse engineer platform binaries or otherwise obtain information about the AES encryption algorithm and key used in the Linknat code.

As seen in Figure 2, CDRThief communicates with C&C servers using JSON over HTTP.

Figure 2. Captured network communication of the Linux/CDRThief malware

There are multiple functions in Linux/CDRThief’s code used for communication with C&C servers. Table 1 contains the original names of these functions used by the malware authors.

Table 1. Functions used for communication with C&C

Function name C&C path Purpose
main.pingNet /dataswop/a Checks if C&C is alive
main.getToken /dataswop/API/b Obtains token
main.heartbeat /dataswop/API/gojvxs Main C&C loop, called every three minutes
main.baseInfo /dataswop/API/gojvxs Exfiltrates basic information about compromised Linknat system:
#rowspan#

  •        MAC address
#rowspan#

  •        cat /proc/version
#rowspan#

  •        whoami
#rowspan#

  •        cat /etc/redhat-release
#rowspan#
  •        UUID from /bin/ibus_10.mo (or / home/kunshi/base/ibus_10.mo )
main.upVersion /dataswop/Download/updateGoGoGoGoGo Updates itself to the latest version
main.pushLog /dataswop/API/gojvxs Uploads malware error log
main.load /dataswop/API/gojvxs Exfiltrates various information about the platform:
#rowspan#

  •        SELECT SUM(TABLE_ROWS) FROM information_schema.TABLES WHERE table_name LIKE 'e_cdr_%'
#rowspan#

  •        cat /etc/motd
#rowspan#
  •        username, encrypted password, IP address of the database
#rowspan#
  •        ACCESS_UUID from server.conf
#rowspan#

  •        VOS software version
main.syslogCall /dataswop/API/gojvxs Exfiltrates data from e_syslog tables
main.gatewaymapping /dataswop/API/gojvxs Exfiltrates data from e_gatewaymapping tables
main.cdr /dataswop/API/gojvxs Exfiltrates data from e_cdr tables

In order to exfiltrate data from the platform, Linux/CDRThief executes SQL queries directly to the MySQL database. Mainly, the malware is interested in three tables:

  • e_syslog – contains log of system events
  • e_gatewaymapping – contains information about VoIP gateways (see Figure 3)
  • e_cdr – contains call data records (metadata of calls)

Figure 3. Disassembled code of the function that initializes an SQL query

Data to be exfiltrated from the e_syslog, e_gatewaymapping, and e_cdr tables is compressed and then encrypted with a hardcoded RSA-1024 public key before exfiltration. Thus, only the malware authors or operators can decrypt the exfiltrated data.

Based on the described functionality, we can say that the malware’s primary focus is on collecting data from the database. Unlike other backdoors, Linux/CDRThief does not have support for shell command execution or exfiltrating specific files from the compromised softswitch’s disk. However, these functions could be introduced in an updated version.

The malware can be deployed to any location on the disk under any file name. It’s unknown what type of persistence is used for starting the malicious binary at each boot. However, it should be noted that once the malware is started, it attempts to launch a legitimate binary present on the Linknat VOS2009/VOS3000 platform using the following command:

exec -a '/home/kunshi/callservice/bin/callservice -r /home/kunshi/.run/callservice.pid'

This suggests that the malicious binary might somehow be inserted into a regular boot chain of the platform in order to achieve persistence and possibly masquerading as a component of the Linknat softswitch software.

At the time of writing we do not know how the malware is deployed onto compromised devices. We speculate that attackers might obtain access to the device using a brute-force attack or by exploiting a vulnerability. Such vulnerabilities in VOS2009/VOS3000 have been reported publicly in the past.

Conclusion

We analyzed Linux/CDRThief malware, which has a unique purpose to target specific VoIP softswitches. We rarely see VoIP softswitches targeted by threat actors; this makes the Linux/CDRThief malware interesting.

It’s hard to know the ultimate goal of attackers who use this malware. However, since this malware exfiltrates sensitive information, including call metadata, it seems reasonable to assume that the malware is used for cyberespionage. Another possible goal for attackers using this malware is VoIP fraud. Since the attackers obtain information about activity of VoIP softswitches and their gateways, this information could be used to perform International Revenue Share Fraud (IRSF).

For any inquiries, or to make sample submissions related to the subject, contact us at threatintel@eset.com.

Indicators of Compromise

ESET detection name

Linux/CDRThief.A

File based mutexes

/dev/shm/.bin
/dev/shm/.linux

Files created during malware update

/dev/shm/callservice
/dev/shm/sys.png

Hashes

CC373D633A16817F7D21372C56955923C9DDA825
8E2624DA4D209ABD3364D90F7BC08230F84510DB (UPX packed)
FC7CCABB239AD6FD22472E5B7BB6A5773B7A3DAC
8532E858EB24AE38632091D2D790A1299B7BBC87 (Corrupted)
82F51F098B85995C966135E9E7F63D1D8DC97589 (UPX packed)

C&C

http://119.29.173[.]65
http://129.211.157[.]244
http://129.226.134[.]180
http://150.109.79[.]136
http://34.94.199[.]142
http://35.236.173[.]187
http://update[.]callercore[.]com

Exfiltration encryption key (RSA)

-----BEGIN PUBLIC KEY-----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCQ3k3GgS3FX4pI7s9x0krBYqbMcSaw4BPY91Ln
tt5/X8s9l0BC6PUTbQcUzs6PPXhKKTx8ph5CYQqdWynxOLJah0FMMRYxS8d0HX+Qx9eWUeKRHm2E
AtZQjdHxqTJ9EBpHYWV4RrWmeoOsWAOisvedlb23O0E55e8rrGGrZLhPbwIDAQAB
-----END PUBLIC KEY-----

MITRE ATT&CK techniques

Note: This table was built using version 7 of the MITRE ATT&CK framework.

Tactic ID Name Description
Defense Evasion T1027 Obfuscated Files or Information Linux/CDRThief contains obfuscates strings in the payload.
T1027.002 Obfuscated Files or Information: Software Packing Some Linux/CDRThief samples are packed with UPX.
Credential Access T1552.001 Unsecured Credentials: Credentials In Files Linux/CDRThief reads credentials for MySQL database from a configuration file.
Discovery T1082 System Information Discovery Linux/CDRThief obtains detailed information about the compromised computer.
Collection T1560.003 Archive Collected Data: Archive via Custom Method Linux/CDRThief compresses stolen data with gzip before exfiltration.
Command and Control T1071.001 Application Layer Protocol: Web Protocols Linux/CDRThief uses HTTP for communication with C&C server.
Exfiltration T1041 Exfiltration Over C2 Channel Linux/CDRThief exfiltrates data to the C&C server.